I am currently taking a principles of information security class. While talking about different encryption methods a large number of my classmates seem to believe that Asymmetric Encryption is better (more secure) than Symmetric Encryption. A typical statement is something like this:

Generally asymmetric encryption schemes are more secure because they
require both a public and a private key.

Certainly with symmetric encryption you have to worry about secure key exchange but as far as I can tell there's no inherent reason why one must be more secure than the other.

Especially given that the asymmetric part is often just used for the key exchange and then the actual data is encrypted with a symmetric algorithm.

So, am I missing something or can a general statement like this really be made about which is more secure.

So if I have a message encrypted with AES and another copy encrypted with RSA and all other things being equal which is more likely to be cracked. Can this comparison even be made?

There is no way to directly compare them. I would point out the only thing we can say is secure is one time truly random pad based XOR stream cipher (which is symmetric), however key exchange is a major problem. We can also say that we can, in theory, break RSA and El Gammel (the two main asymmetric) algorithms) with quantum computing, we just haven't built the device to actually do it..
–
ewanm89Sep 16 '11 at 23:39

2

For the same key size typically the asymmetric encryption (especially RSA) is less secure. Of course in practice you offset this by using larger keys.
–
starblueSep 17 '11 at 7:54

6 Answers
6

There is a sense in which you can define the strength of a particular encryption algorithm¹: roughly speaking, the strength is the number of attempts that need to be made in order to break the encryption. More precisely, the strength is the amount of computation that needs to be done to find the secret. Ideally, the strength of an algorithm is the number of brute-force attempts that need to be made (weighed by the complexity of each attempt, or reduced if some kind of parallelization allows for multiple attempts to share some of the work); as attacks on the algorithm improve, the actual strength goes down.

It's important to realize that “particular encryption algorithm” includes considering a specific key size. That is, you're not pitching RSA against AES, but 1024-bit RSA (with a specific padding mode) with AES-256 (with a specific chaining mode, IV, etc.). In that sense, you can ask: if I have a copy of my data encrypted with algorithm A with given values of parameters P and Q (in particular the key size), and a copy encrypted with algorithm B with parameters P and R, then which of (A,Pval₁,Qval₁) and (B,Pval₂,Rval₂) is likely to be cracked first?

In practice, many protocols involve the use of multiple cryptographic primitives. Different primitives have different possible uses, and even when several primitives can serve a given function, there can be one that's better suited than others. When choosing a cryptographic primitive for a given purpose, the decision process goes somewhat like this:

What algorithms can do the job? → I can use A or B or C.

What strength to I need? → I want 2N operations, so I need key size LA for primitive A, LB for primitive B, LC for primitive C.

Given my constraints (brute speed, latency, memory efficiency, …), which of these (LA-bit A or LB-bit B or LC-bit C) is best?

For example, let's say your requirement is a protocol for exchanging data with a party you don't trust. Then symmetric cryptography cannot do the job on its own: you need some way to share the key. Asymmetric cryptography such as RSA can do the job, if you let the parties exchange public keys in advance. (This is not the only possibility but I won't go into details here.) So you can decide on whatever RSA key length has the right strength for your application. However RSA is slow and cumbersome (for example there aren't standard protocols to apply RSA encryption to a stream — mainly because no one has bothered because they'd be so slow). Many common protocols involving public-key cryptography use it only to exchange a limited-duration secret: a session key for some symmetric cryptography algorithm. This is known as hybrid encryption. Again, you choose the length of the session key according to the desired strength. In this scenario, the two primitives involved tend to have the same strength.

¹
The same notion applies to other uses of cryptography, such as signing or hashing.

So in other words strength is independent of symmetry?
–
matthewSep 17 '11 at 0:37

1

@matthew The notion of strength is independent of properties such as symmetry. The way to compute strength for a given primitive depends on far more than whether it is symmetric.
–
GillesSep 17 '11 at 10:48

Symmetric and asymmetric encryption are distinct operations which operate in distinct contexts, for distinct usages and distinct attack models. There is little sense in claiming that either is "more secure" than the other (it would first require some kind of quantified measure of security, which is not easy to define).

Asymmetric encryption is more demanding: it is about realizing encryption and being able to publish the ways to encrypt (the public key) without revealing the ways to decrypt (the private key). A practical implementation needs mathematics, whereas symmetric encryption is mostly scrambling things around (mind you, it is difficult to do a good job of scrambling; but still, less mathematics are involved).

Commonly deployed systems (e.g. SSL/TLS) combine asymmetric encryption and symmetric encryption (and a few other things as well) into protocols which do some intended job (e.g. "bidirectional tunnel with confidentiality, integrity and authentication").

Choosing between symmetric and asymmetric encryption depends on the use case.

Symmetric encryption is used to share information between a set of people that all shall have access to it. Furthermore symmetric encryption is nice because it is easier to understand (less likely to mess it up) and the algorithms tend to be faster.

Asymmetric encryption is used when a large number of subsets of people shall be able to share information. Furthermore asymmetric cryptography can be used in reverse to sign documents. This is especially interesting because it allows people to certify that a public key belongs to a certain person.

In a set of 10 people, allowing every pair of people to communicate securely, requires 45 unique keys (9+8+7+6+5+4+3+2+1). And now think about of the internet instead of the small set of 10 people. It's obvious that this cannot be handled with symmetric keys.

In the real world both types are often combined. An asymmetric approach is used to confirm the identity of a communication partner and to transmit something that will result in a symmetric key. This symmetric key is then used to for performant encryption of the actual data.

Those are all valid reasons to use one or the other, but it doesn't quite speak to the "strength". Perhaps a better way to ask is "which is easier to break?"
–
matthewSep 16 '11 at 21:27

1

As they have different purposes and work differently, this general question is too unspecific. If you take performance or required key length as indicator, symmetric encryption will win. If you take easiness of providing information on a need to know basis to specific individuals from a larger group of people as measurement (to reduce the number of people that may compromise the secret), asymmetric encryption will win. Really, comparing these approaches only makes sense in concrete contexts.
–
Hendrik BrummermannSep 16 '11 at 21:36

Generally asymmetric encryption schemes are more secure because they require both a public and a private key.

No. You can't say that. That's baloney. It's just not true.

Strength is independent of symmetric vs asymmetric. Symmetric cryptography and asymmetric cryptography are two different kinds of cryptographic tool. Each one can be either weak or strong, depending. There's no reason whatsoever why asymmetric cryptography is necessarily stronger than symmetric cryptography.

For example:

AES is more secure against cryptanalytic attacks than 512-bit RSA, even though RSA is asymmetric and AES is symmetric.

4096-bit RSA is more secure against cryptanalytic attacks than 40-bit RC4, even though RC4 is symmetric and RSA is asymmetric.

I agree with what Thomas stated above. Both symmetric and asymmetric encryption are distinct operations.

Symmetric encryption is less expensive than asymmetric encryption. Expensive as in it requires less processing. To be exact, I am referring to the decryption process.

And this is why SSL/TLS uses a combination of both symmetric and asymmetric encryption. The asymmetric encryption/decryption between two peers during a SSL/TLS transaction is only happen during initial handshake. Once both peers agreed upon a shared private key then the rest of the communication would be using symmetric encryption. By doing so, the only expensive operation will taken place during the initial handshake and rest of the communication will be using symmetric encryption which is require less resource.

In asymmetric encryption with public key cryptography, there is an exchange of public keys which could be intercepted by a man-in-the-middle. That is a major weakness, which symmetric encryption doesn't have. Since the US government is doing mass-surveillance, there's a real possibility that MIM is commonplace. Using predetermined keys with symmetric algorithms and using truly randomly generated numbers would seem to be less vulnerable than relying on public key exchange.

If you have a secure channel to share symmetric keys, you can also use that to share public keys. Public/private key crypto adds the additional possibility to attach information about the owner to a public key and let trusted party sign this information.
–
Hendrik BrummermannDec 15 '14 at 21:09

If a certificate authority is used in order to create the so-called "secure channel," there's no way to determine whether the CA was compromised because of a warrant and a secret court.
–
vrtjasonDec 15 '14 at 21:21

1

vrtjason - what Hendrik is talking about is that you need to share the keys whether you use symmetric or asymmetric crypto.
–
Rory Alsop♦Dec 16 '14 at 0:15

@Alsop Hendrik was talking about public key exchange using a secure channel enabled by a trusted party. If the trusted party is compromised, then the trust in that party is misplaced, and therefore the secure channel is not truly secure. Symmetric crypto simply does not depend on exchange of public keys, or trusted parties. Whether or not symmetric crypto is utilized following the exchange of public keys is irrelevant if indeed the exchange of keys was compromised. You should know this if you're posting on this thread.
–
vrtjasonDec 16 '14 at 20:03

1

Symmetric crypto does depend on the secure exchange of keys. My point is this: Assuming you have such a secure channel, you can use it to exchange public keys as well. Asymmetric crypto does add additional possibilities by involving trusted third parties, but you do not need to use third parties. Other advantages still apply: e.g., You can sign messages to protect them against modifications. You can just pick your private key to decrypt any message sent to you without having to look for the right key. Disclosing public keys is not an issue...
–
Hendrik BrummermannDec 17 '14 at 14:53